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Abstract. Under the assumption of a certain conjecture, for which there 
exists strong experimental evidence, we produce an efficient algorithm for con- 
structive membership testing in the Suzuki groups Sz(q), where q = 2 2 ™+ 1 
for some m > 0, in their natural representations of degree 4. ft is a Las Vegas 
algorithm with running time 0(log(g)) field operations, and a preprocessing 
step with running time 0(log(g) log log(q)) field operations. The latter step 
needs an oracle for the discrete logarithm problem in ¥ q . 

We also produce a recognition algorithm for Sz(q) = {X). This is a Las 
Vegas algorithm with running time 0(|X| ) field operations. 

Finally, we give a Las Vegas algorithm that, given {X) h = Sz(<j) for some 
h G GL(4, q), finds some g such that (X) 9 = Sz(g). The running time is 
0(log(g) loglog(g) + \X\) field operations. 

Implementations of the algorithms are available for the computer system 
Magma. 



1. Introduction 

A goal of the matrix recognition project is to develop efficient algorithms for 
the study of subgroups of GL(d, q). The classification due to Aschbacher (see £Q) 
provides one framework for this, and the first aim is to develop an algorithm that 
finds a composition series of a matrix group given by a set of generators, ft is 
possible to do this with a recursive algorithm, and the recursion is described in 
jlfij . However, we still have to deal with the base cases, which are the finite simple 
groups. 

For each base case we need to perform parts of constructive recognition. The 
simple group is given as G — (X) where X C GL(g?, q) for some d, q and constructive 
recognition encompasses the following problems: 

(1) The problem of recognition or naming of G, i.e. decide the name of G, as 
in the classification of the finite simple groups. 

(2) The constructive membership problem. Given g G GL(d, q), decide whether 
or not g € G, and if so express g as a word (or SLP, see Section l3~2*|) in X. 

(3) Construct an isomorphism ifi from G to a standard copy H of G such that 
tp(g) and ip (h) can be computed efficiently for every g € G and h € 
H. Sometimes this particular problem is what is meant by "constructive 
recognition" . 

To find a composition series using , we need only recognition and constructive 
membership, but the explicit isomorphisms to a standard copy are also very useful. 
Given these, many problems, including constructive membership, can be reduced 
to the standard copy. 

This paper will consider the Suzuki groups Sz(q), q = 2 2m+1 for m > 0, which is 
one of the infinite families of finite simple groups. We will only consider the natural 
representation, which has dimension 4, and our standard copy will be Sz(g) defined 
in Section [5] 

l 
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In Section[S]we solve the constructive membership problem for Sz(g). In Section 
El we solve the recognition problem for Sz(g), i.e. given X C GL(4, q) we give an 
algorithm that decides whether or not (X) — Sz(q). In Section we consider these 
problems for conjugates of Sz(q). Given X C GL(4,q) we give an algorithm that 
decides whether or not (X) — Sz(q) for some h £ GL(4, q). We also give an 
algorithm that computes an isomorphism to Sz(q), by finding some g such that 
W 9 = Sz(q). 

Other representations are dealt with in [2]. The main objective of this paper is 
to prove the following: 

Theorem 1.1. Assuming Conjecture \4-S\ and given a random element oracle for 
subgroups o/GL(4, q) and an oracle for the discrete logarithm problem in ¥ q , there 
exists a Las Vegas algorithm that, for each X C GL(4, q), with q = 2 2m+1 for 
some m > 0, such that (X) 1 — Sz(q) for some h £ GL(4, q), finds g £ GL(4, q) 
such that (X) 9 = Sz(q) and solves the constructive membership problem for (X) . 
The algorithm has time complexity 0(log(g)) field operations and also has a pre- 
processing step, which only needs to be executed once for a given X, with time 
complexity 0(log(q) loglog(g) + |X|) field operations. The discrete logarithm oracle 
is only needed in the preprocessing step. 

Proof. Follows from Theorem l7.5l Theorem 15. 21 Theorem l5.3l and Theorem l5.4l □ 

In Section |H1 experimental evidence for Goniecturc 14.21 is shown. 

In constructive membership testing for Sz((7), the essential problem is to find 
elements of even order. In this paper, this is achieved by using the fact that Sz(q) 
acts doubly transitively on a certain set O C P 3 (F g ). After finding independent 
random elements in the stabiliser of a point, which is done by finding elements that 
map one point to another, it becomes easy to find elements of even order. This is 
because the structure of the stabiliser of a point is known, and by Proposition l5.il 
we can easily find elements of even order in it. 

For every cyclic subgroup C of order q — 1, the proportion of double cosets of C 
in Sz(g) that contain an element that maps one given point to another is high. The 
need to consider double cosets rather than single cosets arises from the fact that O 
contains q 2 + 1 points, and most double cosets have size (q— l) 2 . In the analogous 
problem for SL(2, q) (see |S]), which acts on a set with q + 1 points, single cosets of 
a subgroup of order q — 1 are used. 

One can view this as a process of applying permutation group techniques on a set 
which is exponentially large in terms of the input. Since O has size q 2 + 1, we cannot 
explicitly write down all its points and still have a polynomial time algorithm, and 
therefore we cannot write down the elements of Sz(g) as permutations. However, 
given two points we can construct in polynomial time an element of Sz(q) that maps 
one point to the other, which is a typical permutation group technique. 

Implementations of the algorithms are available in Magma (see 

We are very grateful to the anonymous referee for the helpful advice and the 
large number of comments. We also acknowledge John Bray, Charles Leedham- 
Green, Eamonn O'Brien, Geoffrey Robinson, Maud de Visscher and Robert Wilson 
for their help and encouragement. 

2. The simple Suzuki groups 

We begin by defining our standard copy of the Suzuki group. Following |14l 
Chapter 11], let tt be the unique automorphism of ¥ q such that ir 2 (x) = x 2 for 
every x € ¥ q , i.e. ir(x) — x t where t = 2 m+1 . For a, b £ ¥ q and c £ ¥ q , define the 
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By definition, 
If we define 



Sz(q) = (S(a, b),M(c),T \ a, b € F„ c € F*) 



(2.1) 



(2.2) 



(2.3) 



(2.4) 



T = {S(a, b)\a,be FJ (2.5) 
H={M(c)\ceF*} (2.6) 

then T ^ Sz(g) with \T\ = q 2 and 7Y = F* so that 7i is cyclic of order q — 1. 
Moreover, we can write M(c) as 



A' +1 
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A- 1 














A-'- 1 



M(c) = M'(A) 



where A = c . 

The following result follows from ^| Chapter 11]. 

Theorem 2.1. (1) The order of the Suzuki group is 

\Sz(q)\ = (q 2 + l)q 2 (q-l). 

(2) For all a, b, a', b' € F 9 and A e F* we /iawe: 

5(a, b)S(a\ b') = S(a + a',b + b' + aV) 

S(a,6) M(A) = S(\a,X t+1 b). 



(2.7) 



(2.8) 

(2.9) 
(2.10) 

(3) There exists O C P 3 (F g ) on which Sz(g) acts faithfully and doubly transi- 
tively, such that no nontrivial element of Sz(q) fixes more than 2 points. 
This set is 

O = {(1 : : : 0)} U { (ab + ir(a)a 2 + n(b) : b : a : 1) | a, 6 S ¥ q } . (2.11) 

(4) The stabiliser of P^ = (1 : : : 0) e O is TH and if P = (0 : : : 1) 
then the stabiliser of (Poo, Po) is TL. 

(5) 7i(J-) = {5(0, b) | b £ F q } and TH is a Frobenius group with Frobenius ker- 
nel T . 

(6) The number of elements of order q — \ is (f)(q — l)q 2 (o 2 + l)/2, where 4> is 
the Euler totient function. 

(7) Let g e G = Sz(g). Then for every x € G, C G (g) n C G (g) x = (1) if 
C G (g)^C G ( g y. 

(8) Sz(q') has cyclic Hall subgroups U± and U% of orders q ± t + 1. 
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From Chapter 11, Remark 3.12] we also immediately obtain the following 
result. 

Theorem 2.2. A maximal subgroup of G — Sz(g) is conjugate to one of the fol- 
lowing subgroups. 

(1) The point stabiliser TTL. 

(2) The normaliser Ng(H), which is dihedral of order 2(q — 1). 

(3) The normalisers Bi — Ng(C^) for i — 1,2. These satisfy Bi — (Ui, U) where 
U U — u q j or ever y u g \j i an d ■ = 4, 

(4) Sz(s) where q is a power of s. 

If G is a group acting on a set O and P G 0, let Gp ^ G denote the stabiliser 
of P in G. 

Let Sp(4, q) denote the standard copy of the symplectic group, preserving the 
following symplectic form: 

"0 1" 
10 
10 
10 



J = 



(2.12) 



From ^H] and [2H1 Chapter 3], we know that the elements of Sz(g) are precisely 
the fixed points of an automorphism \P of Sp(4, q); from |25l Chapter 3], computing 
^(g) for some g S Sp(4, q) amounts to taking a submatrix of the exterior square 
of g and then replacing each matrix entry x by x 2 . Moreover, \P is defined on 
Sp(4,F) for F ^ F q . 

If V is an PG-module for some group G and field F, with action / : FG x V — > V, 
and if $ is an automorphism of G, denote by V® the FG-module which has the 
same elements as V and where the action is given by (g, v) i— > /($(<?), v) for g E G 
and t> € V , extended to FG by linearity. 

Lemma 2.3. Let G ^ Sp(4, q) have natural module V and assume that V is abso- 
lutely irreducible. Then G h ^ Sz(g) for some h G GL(4, q) if and only ifV= V*. 

Proof. Assume G h ^ Sz(g). Both G and Sz(g) preserve the form 1)2. 12[) . and this 
form is unique up to a scalar multiple, since V is absolutely irreducible. Therefore 
hJh T = XJ for some A G F*. But if fj, = \J A -1 then (fj,h) J (fj,h) T = J, so that 
fih G Sp(4, q). Moreover, G h — G^ h , and hence we may assume that h G Sp(4, q). 
Let x — h^ft^ 1 ) and observe that for each g G G, ^(g h ) = g h . It follows that 

g x = ■H{h)g h ^{h- 1 ) = VQig^hT 1 ) = V(g) (2.13) 

so v^v 9 . 

Conversely, assume that V = V . Then there is some h G GL(4, q) such that 
for each g G G we have g ft = ^(g). As above, since both G and \&(G) preserve the 
form (|2.12|l . we may assume that h G Sp(4, q). 

Let K be the algebraic closure of ¥ q . The Steinberg-Lang Theorem (see |22| 1 
asserts that there exists x G Sp(4, K) such that h — x~ 1 ^>(x). It follows that 

W 1 )=*(ff) A " lx_1 =S 9i " 1 (2-14) 

so that G^ 1 < Sz(g). Thus G is conjugate in GL(4, K) to a subgroup 5 of Sz(g), 
and it follows from 10, Theorem 29.7], that G is conjugate to S in GL(4, q). □ 

Lemma 2.4. If H ^ G = Sz(g) is a cyclic group of order q—1 and g G G\Nq(H) 
then \HgH\ = (q - l) 2 . 

Proof. Since |if | = q - 1 it is enough to show that H C\ H 9 = (1) . By [21 Chapter 
11], H is conjugate to 7i and distinct conjugates of H. intersect trivially. □ 
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Lemma 2.5. If g 6 G = Sz(q) is uniformly random, then 

and hence we expect to obtain an element of order q — 1 in 0(loglog<7) random 
selections. 

Proof. The first equality follows immediately from Theorem 12.11 The inequality 
follows from ^| Section II. 8]. 

Now let £ = 1/(12 loglog(g)) and <5 = e~ k for some k £ N. If we take uniformly 
random elements from G, then the probability that we have not found an element 
of order q — 1 after [log 8/ log (1 — e)~\ consecutive tries is at most 5, and 

log (1 - e) e 

which is 0(loglog(g)), so the statement follows. □ 

Lemma 2.6. The number of elements of G = Sz(q) that fix at least one point of 
O isq 2 {q-l){q 2 +q + 2)/2. 

Proof. By |14l Chapter 11], if g S G fixes exactly one point, then g is in a conjugate 
of T and if g fixes two points then g is in a conjugate of Ti. This implies that there 
are (| T\ — 1) \0\ elements that fix exactly one point. Similarly, there are ('^') — 1) 
elements that fix exactly two points. 

Thus the number of elements that fix at least one point is 

i + m - 1) pi + (™) - 1) = g2 "- 1)( f +g+2) . (2.17) 

□ 

Lemma 2.7. Elements of odd order in Sz(g) that have the same trace are conjugate. 

Proof. From [23| . the number of conjugacy classes of non- identity elements of odd 
order is q — 1, and all elements of even order have trace 0. Observe that 

"0 1" 
10 
10 6 
10 6 6* 



5(0, 6)T = 



(2.18) 



Since 6 can be any element of ¥ q , so can Tr (S(Q, b)T), and this also implies that 
5(0, b)T has odd order when 6^0. Therefore there are q — 1 possible traces for 
non-identity elements of odd order, and elements with different trace must be non- 
conjugate, so all conjugacy classes must have different traces. □ 

3. Preliminaries 

We will now briefly discuss some general concepts that are needed later. 

3.1. Complexity. We shall be concerned with the time complexity of the algo- 
rithms involved, where the basic operations are the field operations, and not the 
bit operations. In our case, the matrix dimension will always be 4, so all sim- 
ple arithmetic with matrices can be done using 0(1) field operations, and raising a 
matrix to the O(q) power can be done using O(logq) field operations using the stan- 
dard method of repeated squaring. We shall also assume an oracle for the discrete 
logarithm problem for F 9 , so that this can be solved using 0(1) field operations. 

We will need to find an element of order q — 1. The order can be computed 
using the algorithm of [B]. To obtain the precise order, this algorithm requires a 
factorisation of q — 1, otherwise it might return a multiple of the correct order. 
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However, it suffices for our purposes to learn a pseudo-order of the element, which 
is a multiple of its order, since it will suffice to find a nontrivial element of order 
dividing q — 1. Hence we avoid the requirement to factorisc q — 1. The algorithm of 
[Hj can also be used to obtain the pseudo-order, and for this it has time complexity 
0(log (q) log log (q)) field operations. 

3.2. Straight line programs. For constructive membership testing, we want to 
express an element of a group G = (X) as a word in X. Actually, it should be a 
straight line program, abbreviated to SLP. If we express the elements as words, the 
length of the words might be too large, requiring exponential space complexity. 

An SLP is a data structure for words, which ensures that subwords occurring 
multiple times are computed only once. Formally, given a set of generators X, an 
SLP is a sequence (si, S2, ■ ■ . , s n ) where each Sj represents one of the following 

• aniel 

• a product SjSk, where j,k < i 

• a power s™ where j < i and n£Z 

• a conjugate s^ fe where j,k < i 

so Si is either a pointer into X, a pair of pointers to earlier elements of the sequence, 
or a pointer to an earlier element and an integer. 

Thus to construct an SLP for a word, one starts by listing pointers to the gen- 
erators of X, and then builds up the word. To evaluate the SLP, go through the 
sequence and perform the specified operations. Since we use pointers to the ele- 
ments of X, we can immediately evaluate the SLP on another set Y of the same 
size as X, by just changing the pointers so that they point to elements of Y. 

3.3. Random elements. Our analysis assumes that we can construct uniformly 
distributed random elements of a group G defined by a generating set X. The 
polynomial time algorithm of produces nearly uniformly distributed random el- 
ements; an alternative polynomial time algorithm is the product replacement algo- 
rithm of [Zj. We will assume that we have a random element oracle, which produces 
a uniformly random element using 0(1) field operations, and automatically gives 
it as an SLP in X . 

An important issue is the length of the SLPs that are computed. The length of 
the SLPs must be polynomial, otherwise it would not be polynomial time to evaluate 
them. We assume that SLPs of random elements have length 0(1). 

3.4. Las Vegas algorithms. All the algorithms we consider are probabilistic of 
the type known as Las Vegas algorithms. This type of algorithm is discussed in |24l 
Section 25.8], [201 Section 1.3] and ^3 Section 3.2.1]. In short it is a probabilistic 
algorithm with an input parameter e that either returns failure, with probability 
at most e, or otherwise returns a correct result. The time complexity naturally 
depends on e. 

We present Las Vegas algorithms as probabilistic algorithms that either return 
a correct result, with probability bounded below by l/p(n) for some polynomial 
p(n) in the size n of the input, or otherwise return failure. By enclosing such 
an algorithm in a loop that iterates [log ej log (1 — l/p(n))~\ times, we obtain an 
algorithm that returns failure with probability at most e, and hence is a Las 
Vegas algorithm in the above sense. Clearly if the enclosed algorithm is polynomial 
time, the Las Vegas algorithm is polynomial time. 

One can also enclose the algorithm in a loop that iterates until the algorithm 
returns a correct result, thus obtaining a probabilistic time complexity, and the 
expected number of iterations is then 0(p(n)). 



RECOGNISING THE SUZUKI GROUPS IN THEIR NATURAL REPRESENTATIONS 



7 



4. Computing an element of a stabiliser 

As explained in the introduction, in constructive membership testing for Sz(q) 
the essential problem is to find an element of the stabiliser of a given point P E O, 
expressed as an SLP in our given generators X of G = Sz(g). The idea is to map P 
to Q ^ P by a random g\ E G, and then compute g2 € G such that Pg 2 = Q, so 
that gig^ 1 € Gp. 

Thus the problem is to find an element that maps P to Q, and the idea is to look 
for it in double cosets of cyclic subgroups of order q — 1. We first give an overview 
of the method. 

Begin by selecting random a,h E G such that a has pseudo-order q — 1, and 
consider the equation 

Pa j ha l = Q (4.1) 

in the two indeterminates i, j. If we can solve this equation for i and j, thus obtaining 
positive integers k, I such that — 1 and Pa l ha k = Q, then we have an 

element that maps P to Q. 

Since a has order dividing q — 1, by |141 Chapter 11], a is conjugate to a matrix 
M'(A) for some A E F*. This implies that we can diagonalise a and obtain a 
matrix x E GL(4, q) such that M'(\) x = a. It follows that if we define P' = Px" 1 , 
Q' = Qx~ x and g = h x then (|4.1(l is equivalent to 

P'M'(XygM'(\y = Q'. (4.2) 

Now change indeterminates to a and (3 by letting a = A J and (3 — A 4 , so that we 
obtain the following equation: 

P'M'(a)gM'(/3) = Q' . (4.3) 

This determines four equations in a and /3, and in Section ^, ll we will describe how to 
find solutions for them. A solution (7, S) € F£ x F£ determines M'(j), M'{5) e H, 
and hence also c,d e H = TL X . 

If I a. I = q— 1 then (a) = H, so that there exists positive integers k and I as above 
with a 1 = c and a fc = d, and these integers can be found by computing discrete 
logarithms, since we also have A' = 7 and \ k = S. Hence we obtain a solution to 
(14.1|) from the solution to (|4.3(l . If \a\ is a proper divisor of q — 1, then it might 
happen that c ^ (a) or d ^ (a), but by Lemma 12.51 we know that this is unlikely. 

Thus the overall algorithm is as in Algorithm ^ We show the time complexity 
of the algorithm in Section |4~2*1 and prove that it is correct in Section |4~31 

4.1. Solving equation (|4.3|l . We will now show how to obtain the solutions of 
(|4.3() . It might happen that there are no solutions, in which case the method de- 
scribed here will detect this and return with failure. 

By letting P' = (qi : q 2 : q 3 : g 4 ), Q' = (n : r 2 : r 3 : r 4 ) and g = \g it j], we can 
write out (|4.3|) and obtain 

(<7i5M"* +1 + 92.92, i« + q^gz^a' 1 + q^g^ioT 1 ' 1 )^ 1 = Cr Y 

(<7iffi,2a t+1 + 9252,2a + 9353,2a -1 + <?454, 2a - * -1 )/? = Cr 2 t v 

(4.4) 

(9i5i,3a* +1 + 9252,3a + 9353,3a" 1 + 9454,3a"'" 1 )/?" 1 = Cr 3 
(9i5i,4a t+1 + 9252,4a + 9353,4a" 1 + 9454,4a"*" 1 )/?"'" 1 = Cr 4 

for some constant C € ¥ q . Henceforth, we assume that for i = 1, . . . , 4, since 
this is the difficult case, and also extremely likely when q is large, as can be seen 
from Proposition 14.11 A method similar to the one described in this section will 
solve l|4.3|) when some = and Algorithm ^ does not assume that all 7^ 0. 
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Algorithm 1: FindMappingElement 



Data: Generating set X for G = Sz(g) and points P ^ Q € O 
Result: An element g of G, written as an SLP in X, such that Pg = Q 
/* Assumes the existence of a function SolveEquation that solves (|4.3|l . if 
possible. Also, assumes that the function Random returns an element as an 
SLP in X , and that DiscreteLog returns a positive integer if a discrete 
logarithm exists and otherwise. */ 

1 begin 

2 h := Random(G) 

/* Find random element a of pseudo-order q — 1 * / 

3 a := Random(G) 

4 if \a\ | q — 1 then 

5 (M'(A), x) := Diagonalise(a) 

/* Now M'(X) X = a */ 



6 if SolveEquation(h x ,Px 1 ,Qx 1 ) then 

7 Let (7, S) be a solution. 

8 I := DiscreteLog(A, 7) 

9 k := DiscreteLog(A, 5) 

10 if k > and I > then 

11 return a l ha k 

12 end 

13 end 

14 end 

15 return fail 

16 end 



Proposition 4.1. If P' = (pi '■ P2 ■ P3 ■ Pi) £ is uniformly random, where 
O x = {Px I P e O} for some x € GL(4, 9), then 

Pr[ Pl ^0|^l,...,4]^(l-^) 4 . (4.5) 

Proo/. Let P' = and a; = [a^]. If P = (1 : : : 0) then P' = (x lfl : x h2 ■ 
xi,3 '■ xia) so clearly 

Pr[ Pl = I some ,*] < J- + (1 - -L) 

(1 - Pr[(a t+2 + 6* + 06)2:1,1 + x 2 ,ib + x 3A a + x iA ^0\a^0,b^ 0] 4 ). (4.6) 
Now it follows that 

Pr[(a i+2 + b l + ab)xx,i + x 2 ,ib + x 3A a + x 4A = 0|a^0, 6^0] = 

= P4(k t+2 +b t +kb)x 1A +x 2 sb+x 3 sk+x 4:A = | a = k, b ^ 0] Pr[a = k] ^ - 

(4.7) 

since in a field a polynomial of degree t has at most t roots. The result follows by 
observing that t = \/2q. □ 

For convenience, we denote the expressions in the parentheses at the left hand 
sides of <|4.4[1 as K, L, M and N respectively. Then if we let C = Lftr^ 1 we obtain 
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three equations 

M/3~ 2 = r z r 2 x L (4.8) 
and in particular /3 is a function of a, since 



0= sjL-^Mr^n. (4.9) 

By substituting the first two equations into the third in l|4.8|l we obtain 

NKr 2 r 3 = r x r A ML (4.10) 

and by raising the first equation to the i-th power and substituting into the second, 
we obtain 

ri rl /2 L 1+t / 2 = r\ +t/i M*l 2 K. (4.11) 
If instead we let C = Mft~ x r§ and proceed similarly, we obtain two more equations 

iV*Lr| +1 = M t+1 r 2 r\ (4.12) 
NL l / 2 rl +t/2 = M 1+t l 2 r±4 2 . (4.13) 

Now (|4.10|) . Q4.11JI . (|4.12() and (|4.13(l are equations in a only, and by multiplying 
them by suitable powers of a, they can be turned into polynomial equations such 
that a only occurs to the powers ti for i = 1, ... ,4 and to lower powers that are 
independent of t. The suitable powers of a are 2t + 2, t + t/2 + 2, 2t + 3 and 
2t + t/2 + 2, respectively. 

Thus we obtain the following four equations. 

a 4t ci + a 3t c 2 + a 2t c 3 + a'c 4 = di 



a 4t c 5 + a 3t c 6 + a 2t c 7 + a l c 8 = d 
a Cg + a Cio + a en + a c\ 2 = a 
a 4 *Ci3 + a 3 'ci4 + a 2t ci5 + a'ci6 = d± 



(4.14) 

3 



The Ci and dj are polynomials in a with degree independent of t, for i = 1, . . . , 16 
and j = 1, ... ,4 respectively, so Q4.14H can be considered a linear system in the 
variables a nt for n — 1, . . . , 4, with coefficients c L and dj. Now the aim is to obtain a 
single polynomial in a of bounded degree. For this we need the following conjecture. 

Conjecture 4.2. For every P' = Px~ x ,Q' — Qx~ x ,g — h x where P,Q £ O, 
h G G and x G GL(4, q), if we regard (|4.14|l as simultaneous linear equations in the 
variables a nt for n = 1, . . . ,4, over the polynomial ring ¥ q [a], then it has non-zero 
determinant. 

In other words, the determinant of the coefficients a is not the zero polynomial. 
We comment on the validity of Conjecture 14. 21 in Section |8j 



Lemma 4.3. Given P 1 ,Q' and g as in Conjecture \4-%\ and assuming Conjecture 
\4-S\ there exists a univariate polynomial f(a) G V q [a] of degree at most 60, such that 
for every (7, 5) G x that is a solution for (a, (3) in H4.3(l we have f{pf) = 0. 

Proof. So far in this section we have shown that if we can solve (|4.14() we can also 
solve H4.3fl . From the four equations of l|4.14|l we can eliminate a 1 . We can solve 
for a 4t from the fourth equation, and substitute into the third, thus obtaining a 
rational expression with no occurrence of a 4t . Continuing this way and substituting 
into the other equations, we obtain an expression for a 1 in terms of the Ci and the 
di only. This can be substituted into any of the equations of (|4.14|) . where a nt for 
n = 1, . . . , 4 is obtained by powering up the expression for a* . Thus we obtain a 
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rational expression fi(a) of degree independent of t. We now take f(a) to be the 
numerator of f± . 

In other words, we think of the a nt as independent variables and of 1|4.14J) as a 
linear system over these variables, with coefficients in F q [a]. By Conjecture 14.21 we 
can solve this linear system. 

Two possible problems can occur: / is identically zero or some of the denomina- 
tors of the expressions for a nt , n = 1, . . . , 4 turn out to be 0. However, Conjecture 
14. 21 rules out these possibilities. By Cramer's rule, the expression for a* is a rational 
expression where the numerator is a determinant, so it consists of sums of prod- 
ucts of Ci and dj . Each product consists of three Ci and one dj . By considering the 
calculations leading up to (|4.14() , it is clear that each of the products has degree at 
most 15. Therefore the expression for a 4 ' and hence also f(a) has degree at most 
60. 

We have only done elementary algebra to obtain f(a) from (|4.14(l . and it is clear 
that (|4.14|l was obtained from l|4.4|l by elementary means only. Hence all solutions 
(7,(5) to (|4.4|) must also satisfy f(j) — 0, although there may not be any such 
solutions, and f(a) may also have other zeros. □ 

Corollary 4.4. Assuming Conjecture \4-<\ there exists a Las Vegas algorithm that, 
given P' , Q' and g as in Conjecture \4-^\ finds all (7, 5) £ x F* that are solutions 
of 1)4. The algorithm has time complexity O(logg) field operations. 

Proof. Let f(a) be the polynomial constructed in Lemma 1431 To find all solutions 
to (|4.^(l . we find the zeros 7 of f{a), compute the corresponding 8 for each zero 
7 using (|4.9|) . and check which pairs (7, 8) satisfy (|4.4|) . These pairs must be all 
solutions of (|4.3|) . 

The only work needed is simple matrix arithmetic, finding the roots of a polyno- 
mial of bounded degree over ¥ q , and raising matrices to the power t, where t e O(q). 
Hence the time complexity is O(logq) field operations and the algorithm is Las Ve- 
gas since by [21 Corollary 14.16] the algorithm for finding the roots of f(a) is Las 
Vegas with this time complexity. □ 

By following the procedure outlined in Lemma l4.3l it is straightforward to obtain 
an expression for f(a), where the coefficients are expressions in the entries of g, P' 
and Q' , but we will not display it here, since it would take up too much space. 

4.2. Complexity. 

Theorem 4.5. Given an oracle for the discrete logarithm problem in ¥ q and a ran- 
dom element oracle for G, the time complexity of Algorithm^is 0(log(g) log log (<?)) 
field operations. 

Proof. Diagonalising a matrix uses 0(log q) field operations, since it involves finding 
the eigenvalues, i.e. finding the roots of a polynomial of constant degree over F 9 , 
see El Corollary 14.16]. 

Computing the pseudo-order of a matrix uses O(\og(q) log log (q)) field opera- 
tions, if we use the algorithm described in [Hj. From Corollary 14.41 it follows that 
linen] uses O(logg) field operations. 

Finally, line ^ uses O(logg) field operations, since the exponents are 0(g). We 
conclude that Algorithm ^ uses 0(log (q) loglog (q)) field operations. □ 

4.3. Correctness. There are two issues when considering the correctness of Al- 
gorithm 2] Using the notation in the algorithm, we have to show that l|4. 3f) has a 
solution with high probability, and that the integers k and I are positive with high 
probability. 
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The algorithm in Corollar v !4 . 41 tries to find an element in the double coset TigTL, 
where g = h x , and we will see that this succeeds with high probability when 
g N G (7i), which is very likely. 

If the element a has order precisely q — 1, then from the discussion at the begin- 
ning of Section^] we know that the integers k and I will be positive. By Lemma l2.5l 
we know that it is likely that a has order precisely q — 1 rather than just a divisor 
of q-l. 

Hence it follows that Algorithm [I] has high probability of success. We formalise 
this argument in the following results. 



Lemma 4.6. Assume Conjecture \4-S\ Let G — Sz(g) and let P £ O and a,h £ G 

be given, such that \a\ = q — 1. Let Q £ O be uniformly random. If h ^ Ng((a)), 
then 

(a-1) 2 (a-1) 2 

< Pr[Q £P(a)h (a)} sC [ \ (4.15) 



(g 2 + l)deg/ ^ W WJ q 2 + l 

where /(a) is the polynomial constructed in Lemma \4-3\ If instead h £ Ng((a)) 



then 



Pr[Q £P(a)h (a)] = (g ^ + 2 ■ (4.16) 



Proof. If h N G ((a)) then by Lemma El \( a )h(a)\ = (q - l) 2 , and hence 

\p(a)h(a)\^( q -i) 2 . 

On the other hand, for every Q £ O we have 

\{(ki,k 2 ) | k u k 2 £ (a) , Phhk 2 = Q}\ < deg/ (4.17) 

since this is the equation we consider in Section f4.ll and from Lemma 14.31 we know 
that all solutions must be roots of /. Thus \P(a)h(a)\ ^ \(a) h {a)\ /deg/. Since 
Q is uniformly random from O, and \0\ = q 2 + 1, the result follows. 

If h £ N G ((a)) then (a) h{a)=h (a) and \Ph (a)\ = \(a)\ if (a) does not fix P/i. 
By Chapter 11], the number of cyclic subgroups of order q — 1 is ('^') and 
|C| — 1 such subgroups fix Ph. Moreover, if (a) fixes Ph then Ph (a) = {Ph}. Thus 

Pr[Q £P(a)h (a)] = Pr[Q £ Ph (a)] Pr[P/ia ^ Ph} + 

+ Pr|0 . «, . ™, _ J£*M - H^i) + ^ ( , 18 , 

and the result follows. □ 



Theorem 4.7. Assuming Conjecture \4-^\ and given a random element oracle for G 
and an oracle for the discrete logarithm problem in ¥ q , Algorithm^is a Las Vegas 
algorithm that with probability s returns an element mapping P to Q, where 

s> 191 ; \ u 7 +0(1/9) (4-19) 
121oglog(gJ deg/ 

Proof. We use the notation from the algorithm. Let g = h x 1 , H = TL X , P' = Px^ 1 
and Q' = Qx~ l . Corollary IO implies that line □ will succeed if Q' £ P'UgU. If 
| a | = q— 1, then H = (a), and the previous condition is equivalent to Q £ P (a) h (a). 

Moreover, if \a\ — q — 1 then linenwiU always succeed. It might of course succeed 
when \a\ is a proper divisor of q — 1, so it follows that s satisfies the following 
inequality. 

s > Pr[M = q - l](Pr[/i £ N G ((a»] Pr[Q £ P (a) h (a) \ h £ N G ((a})]+ 
+ Pr[h^N G ((a))]Pr[Q£P(a)h(a) \ h ^ N G ((a))]) l4-201 
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Since h is uniformly random, using Theorem 12 . 21 we obtain 

Pr[ft6N c ((o))] = ^ 
From Lemma 12.51 and Lemma 14.61 we obtain 



2(9-1) 



Pr[h £ N G «a»] = = 2 2 (4.21) 

|G| g 2 (g 2 + l) 



1) 2 (g-1) 2 , 2 2+(g-l)(^ 



(<Z 2 + l)deg/ <7 2 (g 2 + 1) (g 2 + 1) g 2 ^ 2 + 1) (q 2 



^(g-l) 
2(g-l)deg/ 



0(1/9) 



(4.22) 

and the probability of success follows from Lemma l2~5l 

Clearly if a solution is returned, it is correct, so the algorithm is Las Vegas. □ 



Corollary 4.8. Assuming Conjecture \4-^ and given a random element oracle for 
subgroups o/GL(4, q) and an oracle for the discrete logarithm problem in ¥ q , there 
exists a Las Vegas algorithm that, given X C GL(4, q) such that G = (X) = Sz(q) 
and P £ O, finds a uniformly random g £ Gp, expressed as an SLP in X. The 
algorithm has time complexity 0(log(q) loglog(g)) field operations. If s is as in 
Theorem \4-7\ the probability of success is 

Proof. We compute g as follows. 

(1) Find random x £ G. Let Q — Px and return with failure if P = Q. 

(2) Use Algorithm [l] to find y £ G such that Qy = P. 

(3) Now g — xy £ Gp. 

Clearly this is a Las Vegas algorithm with probability of success as stated. More- 
over, the dominating term in the complexity is the call to Algorithm ^ with time 
complexity given by Theorem l4.5l 

The element g will be expressed as an SLP in X, since x is random and elements 
from Algorithm ^ ar e expressed as SLPs. 

Each call to Algorithm^uses independent random elements, so the double cosets 
under consideration are uniformly random and independent. Therefore the elements 
returned by Algorithm^must be uniformly random. This implies that g is uniformly 
random. □ 

5. Constructive membership testing 

We will now give an algorithm for constructive membership testing in Sz(q). 
Given a set of generators X, such that G = (X) = Sz(q), and given g £ G, we want 
to express g as an SLP in X. We need the following result. 

Proposition 5.1. If g\,g% £ FTl are uniformly random, then 

Pr[|[ffi,fla]|=4] = l--?-. (5.1) 
9-1 

Proof. Let A = TH/Z{F). By Theorem O [31,52] G T and has order 4 if and 
only if [31,32] 4- 2(^ r ) < It therefore suffices to find the proportion of pairs 
fci, fc 2 £ A such that [fci, fc 2 ] = 1. 

If fci = 1 then fc 2 can be any element of A, which contributes q(q — 1) pairs. If 
1 7^ fci £ T I Z(JF) = ¥ q then C^(fci) = Tj Z(JF), so we again obtain q(q — 1) pairs. 
Finally, if fci ^ T j 7j{T) then (C^fci)! = q — 1 so we obtain q(q — 2){q — 1) pairs. 
Thus we obtain q 2 (q — 1) pairs from a total of \A x A\ = q 2 (q — l) 2 pairs, and the 
result follows. □ 
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The algorithm for constructive membership testing has a preprocessing step and 
a main step. The preprocessing step consists of finding "standard generators" for 
02(Gp oo ) = T and C>2(Gp ). In the case of 0%{Gp oo ) the standard generators are 
defined as matrices {S(ai,Xi)} i _ l U {S(0,bi)}™ =1 for some unspecified Xi G ¥ q , 
such that {ai, . . . , a„} and {61, . . . , 6„} form vector space bases of ¥ q over F2 (so 
n = log 2 q = 2m + 1). 

For every a, b € ¥ q , every matrix S(a,b) € Gp^ can be reduced to the identity 
by multiplying it by some of the standard generators of 02(Gp oo ), and similarly for 
Gp Q . The standard generators are therefore used in the main step to perform row 
operations in Gp^ and Gp . 

Theorem 5.2. Assuming Conjecture \4-.S\ and given a random element oracle for 
G and an oracle for the discrete logarithm problem in ¥ q , the preprocessing step is 
a Las Vegas algorithm that finds standard generators for (^(Gp^) and O2{Gp ). 
The preprocessing step has time complexity 0(log(q) loglog(q)) field operations. The 
probability of success is at least 



Proof. The preprocessing step is the following: 

(1) Find random a%,a2 € Gp^ and 61,62 € Gp using the algorithm described 
in Corollary 14. 81 Let c\ = [ai,a 2 ], c 2 = [61,62]. 

(2) Determine if |ci| = |c 2 | = 4, if |oi| or |a, 2 1 divides q — 1 and if |6i| or |6 2 | 
divides q — 1. Return with failure if any of these turn out to be false. 

(3) Let d\ € {01,02} where \d%\ divides q — 1, and let di € {61,62} where \d%\ 
divides q — 1. Let Yoo = {ci,di} and Yq = {02,^2}- Diagonalise d\ and 
obtain M'(A) € G, where A € . Determine if A lies in a proper subfield 
of W q , and if so return with failure. Do similarly for 

(4) As standard generators for 2 (Gp^ ) we now take 



and similarly we obtain U for O2(Gp ). 

It follows from 12.9fl and (|2.10() that l|5.3(l provides the standard generators for 
Gp ra . These are expressed as SLPs in X, since this is true for the elements returned 
from the algorithm described in Corollary 14. 81 

By Corollary 14.81 the first step succeeds with probability r 4 , and the random 
elements selected are uniformly distributed and independent. Since Gp^ = TTL, 
the proportion of elements of order q — 1 in Gp^ is <f>(q — l)/(g — 1), and similarly 
for Gp . Hence by Proposition 15.11 the second step succeeds with probability at 
least (<j){q - l) 2 {q - 2) 2 )/(g - l) 4 . If = \d 2 \ = q - 1, the third step will also 
succeed, since A will not lie in a proper subfield. Hence 02(Gp oo ) < (Yoo) «5 Gp^ 
and (Yoo) — Gp^ precisely when d\ has order q — 1, and similarly for Yq. 

By the remark preceding the theorem, L determines two sets of field elements 
{di, . . . ,a 2m +i} and {61, . . . ,62 m +i}. In this case each a* = a\ l and 6j = b\ l ^ t+1 \ 
for some fixed a, 6 € , where A is as in the algorithm. Since A does not lie in a 
proper subfield, these sets form vector space bases of ¥ q over F 2 . 

It then follows from Lemma l2~5l and Corollary I4.8l th.at the probability of success 
of the preprocessing step is as stated. Therefore the preprocessing step is a Las 
Vegas algorithm. 




(5.2) 



2m+l 




(5.3) 



i=l 
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We only determine if d\ and di have order dividing q — 1 in order to obtain a 
polynomial time algorithm. To determine if A lies in a proper subfield it suffices 
to determine if |A| | 2™ — 1 where n is a proper divisor of 2m + 1. Hence the 
dominating term in the complexity is the computation of random elements in the 
stabiliser, in the first step. The time complexity is therefore the same as for the 
algorithm described in Corollary 14. 81 □ 

Now we consider the algorithm that expresses g as an SLP in X. It is given 
formally as Algorithm [3 

Algorithm 2: ElementToSLP 
Data: Standard generators L for Gp x and U for Gp . Matrix g G (X) = G. 
Result: A SLP for ginl. 

1 begin 

2 r := Random(G) 

3 if gr has an eigenspace Q G O then 

4 Find Z\ G Gp^ using L such that Qz\ = Pq. 

/* Now (gr) Zl £ G P „. */ 

5 Find z 2 € Gp using U such that (gr) Zl z 2 — M'{\) for some A € F£ . 
/* Express diagonal matrix as SLP */ 

e x := Tr(M'(A)) 

7 Find h = [S(0, (x*) 1 / 4 ), 5(0, 1) T ] using LUU. 

/* Now Tr/i = x. */ 

8 Let Pi, P2 £ O be the fixed points of h. 

9 Find a G using L such that Pi a = Pq. 

10 Find b G Gp using £/ such that (p2a)6 = P^. 

/* Now h ab G G P=o n G Po = H, so h ab G {AP(A) ±1 }. */ 

11 if h ab = M'(X) then 

12 Let W be an SLP for (h^z^ 1 )^ V -1 . 

13 return 

14 else 

15 Let FY be an SLP for ((^ afc )- 1 z 2 " 1 ) z i _1 r- 1 . 

16 return W 

17 end 
is end 

19 return fai I 

20 end 



Theorem 5.3. Given a random element oracle for G, Algorithm^ is a Las Vegas 
algorithm with probability of success 1/2 + 0(l/g). 

Proof. First observe that since r is randomly chosen we obtain it as an SLP. On 
line [21 we check if gr fixes a point, and from Lemma 12.61 we see that 

Pr[gr fixes a point] = |?^^y ~ \ ( 5 - 4 ) 

The elements found at lines |21 and [21 can be computed using row operations, so 
we can obtain them as SLPs. 
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The element h found at line |2] clearly has trace x, and it can be computed using 
row operations, so we obtain it as an SLP. From Lemma 12.71 we know that h is 
conjugate to M'(X) and therefore must fix 2 points of O. Hence lines and make 
sense, and the elements found can again be computed using row operations and 
therefore we obtain them as SLPs. 

The only elements in TL that are conjugate to h are M'(A) ±:L , so clearly h ab must 
be one of them. 

Finally, the elements that make up W were found as SLPs, and it is clear that 
if we evaluate W we obtain g. Hence the algorithm is Las Vegas and the theorem 
follows. □ 

5.1. Complexity. 

Theorem 5.4. Given a random element oracle for G, Algorithm^ has time com- 
plexity O(logq) field operations, space complexity 0(log 2 q) and the length of the 
returned SLP is O(logq). 

Proof. From (|5.3() we see that the number of standard generators is O(logg), 
and each matrix uses 0(\ogq) space, so the space complexity of the algorithm 
is 0(log 2 q). 

This also immediately implies that the row operations performed at lines El 
121 121 and [21 use 0(log(7) field operations. 

Finding the fixed points of h, and performing the check at line |21 only amounts 
to considering eigenspaces, which uses 0(log<?) field operations. Thus the time 
complexity of the algorithm is O(logg) field operations. 

The SLPs returned from Algorithm ^ have length 0(1), and 1)5.3(1 implies that 
each standard generator also has length 0(1). Hence because of our row operations, 
W will have length O (log q). □ 

6. Recognition 

We now discuss how to recognise Sz(q). We are given a set X C GL(4, q) and we 
want to decide whether or not (X) = Sz(g), the group defined in 1)2.4(1 . 

To do this, it suffices to determine if X C Sz(q) and if X does not generate a 
proper subgroup, i.e. if X is not contained in a maximal subgroup. To determine 
if g G X is in Sz(q), first determine if det(g) = 1, then determine if g preserves 
the symplectic form of Sp(4, q) and finally determine if g is a fixed point of the 
automorphism '5 of Sp(4, q), mentioned in Section[2| 

The recognition algorithm relies on the following result. 

Lemma 6.1. Let H = (X) < Sz(q) = G, where X = {xi, . . . ,x n } and let C — 
{[xi, Xj] | 1 ^ i < j ' ^ n} and M be the natural module of H . Then H = G if and 
only if the following hold: 

(1) M is an absolutely irreducible H -module. 

(2) H is not conjugate in GL(4, q) to a subgroup o/GL(4, r), where q is a proper 
power of r. 

(3) C {1} and for every c G C \ {1} there exists x G X such that [c, c x ] ^= 1. 

Proof. By Theorem 12.21 the maximal subgroups of G that do not satisfy the first 
two conditions are Ng(W), B\ and £> 2 - For each, the derived group is contained in 
the normalised cyclic group, so all these maximal subgroups are metabelian. If H 
is contained in one of them and H is not abelian, then C ^ {1}, but [c, c x ] = 1 for 
every c G C and x G X since the second derived group of H is trivial. Hence the 
last condition is not satisfied. 

Conversely, assume that H — G. Then clearly, the first two conditions are satis- 
fied, and C {1}. Assume that the last condition is false, so for some c G C \ {1} 
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we have that [c, c x ] = 1 for every x £ X. This implies that c x <E Cg(c) R Cg(c) :c , 
and it follows from Theorem EH that C G (c) = C G (c) I_1 . Thus C G (c) = C G (c) 3 for 
all g £ G, so Cg(c) < G, but G is simple and we have a contradiction. □ 

Theorem 6.2. There exists a Las Vegas algorithm that, given X C GL(4, q), 
decides whether or not (X) = Sz(q). Its £ime complexity is 0(|X| ) /ieZc! operations. 

Proof. The algorithm proceeds as follows. 

(1) Determine if every a; € J is in Sz(q), and return false if not. 

(2) Determine if (X) is absolutely irreducible and if it is not conjugate in 
GL(4, q) to a subgroup of GL(4, r), where q is a proper power of r. Return 
false if any of these turn out to be false. 

(3) Using the notation of Lemma IfTTl try to find c £ C such that 1. Return 
false if it cannot be found. 

(4) If such c can be found, and if [c, c x ] ^ 1 for some x £ X, then return true, 
else return false. 

From the discussion at the beginning of this section, the first step is easily done 
using 0(|X|) field operations. The MeatAxe (see ^3] an d E3) can be used to 
determine if the natural module is absolutely irreducible; the algorithm of can 
be used to determine if (X) is conjugate in GL(4, q) to a subgroup of GL(4,r), 
where q is a proper power of r. Both these algorithms have time complexity 0(|A|) 
field operations. 

The rest of the algorithm is a straightforward application of the last condition 
in Lemma 16.11 except that it is sufficient to use the condition for one nontrivial 
commutator c. By Lemma [6.11 if [c,c x ] ^ 1 then (X) = Sz(q); but if [c,c x ] = 1, 
then C/x)(c) < (X) and we cannot have Sz(g). 

It follows immediately that the time complexity of the algorithm is 0(|X| 2 ) field 
operations. Since the MeatAxe is Las Vegas, this algorithm is also Las Vegas. □ 

7. The conjugation problem 

Given a conjugate G of Sz(q) we describe an algorithm to construct an isomor- 
phism from G to Sz(g) by finding a conjugating element. As one component, we 
need another recognition algorithm for G, since the one described in Sectional only 
works for the standard copy of Sz(q). In 4 i5 a general recognition algorithm is de- 
scribed which could be used, but we prefer the very fast algorithm described below, 
which works for this special case. 

7.1. Recognition. We want to determine if a given group G = (X) ^ GL(4, q) is a 
conjugate of Sz(q), without finding a conjugating element. We consider carefully the 
subgroups of Sp(4, q) and rule out all except those isomorphic to Sz(g). This relies 
on the fact that, up to Galois automorphisms, Sz(g) has only one equivalence class 
of faithful representations in GL(4, q) (see |2D), so ^ we can show that G = Sz(q) 
then G is a conjugate of Sz(q). 

Theorem 7.1. There exists a Las Vegas algorithm that, given X C GL(4, q), 
decides whether or not (X) = Sz(q) for some h £ GL(4, q). The algorithm has 
time complexity 0(|A| 2 ) field operations. 

Proof. Let G = (X). The algorithm proceeds as follows. 

(1) Determine if G is absolutely irreducible, using the MeatAxe, and return 
false if not. 

(2) Determine if G preserves a non-zero symplectic form M. If so we conclude 
that G is a subgroup of a conjugate of Sp(4, q), and if not then return false. 
This is essentially isomorphism testing of modules, which is described in 
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|13|. Since G is absolutely irreducible, the form is unique up to a scalar 
multiple. 

(3) Conjugate G so that it preserves the form J. This amounts to finding a 
symplectic basis, i.e. finding an invertible matrix X such that XJX T = A/, 
which is easily done. Then G x preserves the form J and thus G x ^ Sp(4, q) 
so that we can apply \&. 

(4) Determine if V = V 9 , where V is the natural module for G and ^ is the 
automorphism from Lemma 12.31 If so we conclude that G is a subgroup of 
some conjugate of Sz(q), and if not then return false. 

(5) Determine if G is a proper subgroup of Sz(q), i.e. if it is contained in a 
maximal subgroup. This can be done using Lemma |6.1I If so, then return 
false, else return true. 

The algorithms for finding a preserved form and for module isomorphism testing 
are Las Vegas, with the same time complexity as the Meat Axe (see ^31 an d |15j). 
which is 0(|X|) field operations since G has constant degree. Hence we obtain a Las 
Vegas algorithm, with the same time complexity as the algorithm from Theorem 

o □ 

7.2. Finding a conjugating element. Now we assume that we are given G ^ 
GL(4, q) such that G h = Sz(g) for some h 6 GL(4, q), and we turn to the problem 
of finding some g G GL(4, q) such that G 9 = Sz(g), thus obtaining an isomorphism 
from any conjugate of Sz(q) to the standard copy. 

Lemma 7.2. Given a random element oracle for subgroups o/GL(4, q), there exists 
a Las Vegas algorithm that, given X C GL(4, q) such that (X) h = Sz(q) for some 
h € GL(4, q), finds a point P G O h = {Qh^ 1 \ Q G O}. The algorithm has time 
complexity O(logg) field operations. 

Proof. Clearly O h is the set on which (X) acts doubly transitively. For a matrix 
M'(A) G Sz(g) we see that the eigenspaces corresponding to the eigenvalues X^ t+1 > 
will be in O. Moreover, every element of order dividing q — 1 in every conjugate 
G of Sz(q) will have eigenvalues of the form fi ±l - t+1 \ /i ±x for some \x G F*, and 
the eigenspaces corresponding to /^ ± ( t+1 ^ will lie in the set on which G acts doubly 
transitively. 

Hence to find a point P G O h it suffices to find a random g G (X) of order 
dividing q — 1, which is easy by Lemma 12.51 and then find the eigenspaces of g. 
Clearly this is a Las Vegas algorithm that uses 0(log q) field operations. □ 

Lemma 7.3. There exists a Las Vegas algorithm that, given X C GL(4, q) such 
that (X) = Sz(q) where d — diag(di, di, c?3, d^) G GL(4, q), finds a diagonal matrix 
e G GL(4, q) such that (X) e — Sz(q), using 0(|V| +logg) field operations. 

Proof. Let G = (X). Since G d = Sz(g), G must preserve the symplectic form 



K = dJd - 












C?iC?4 








d 2 dz 








d 2 d 3 








d\di 












(7.1) 



where J is given by l|2.12|l . Using |13| . we can find this form, which is determined 
up to a scalar multiple. Hence the diagonal matrix e = diag(ei, e 2 , e^,, e^) that we 
want to find is also determined up to a scalar multiple (and up to multiplication 
by a diagonal matrix in Sz(g)). 

Since e must take J to K , we must have = d\d^ = e\e± and = d 2 d^ = 
e 2 e^. The matrix e is determined up to a scalar multiple, so we can choose — 1 
and ei = K\ 4. Hence it only remains to determine e 2 and e^. 
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To conjugate G into Sz(g) we must have Pe 6 O for every point P € O d , 
which is the set on which G acts doubly transitively. By Lemma [7.21 we can find 
P = (pi : P2 : P3 : 1) € O d , and the condition Pe = (pi 2^1,4 : P2e2 : ^363 : 1) € O 
is given by l|2.11[l and amounts to 

P2P 3 K 2 , 3 + (P2e 2 y + (p 3 e 3 ) t+2 - PiK 1A = (7.2) 

which is a polynomial equation in the two variables e 2 and 63. 

Notice that we can consider e\ to be the variable, instead of e 2 , since if x = e|, 
then e2 = Vje*. Similarly, we can let eg +2 be the variable instead of e 3 , since if 
y = e 3 +2 then e 3 = i/ 1- */ 2 . Thus instead of 17.2JI we obtain a linear equation 

p t 2 x+p t 3 +2 y=p 1 K 1A -p2P3K 2 ,3 (7.3) 
in the variables x, y. Thus the complete algorithm for finding e proceeds as follows. 

(1) Find the form K that is preserved by G, using [T3J- 

(2) Find P, Q £ O d ^ using Lemma 17^1 

(3) Let P — (pi : p 2 : P3 : p^) and Q = (gi : q 2 : 03 : 54). Determine if the 
following linear system in the variables x and y is singular, and if so return 
with failure. 

p\x + p 3 +2 y = piK 1A - p 2 P3K 2 ,3 , , 

/ t+2 ( 7 ' 4 ) 

g 2 x + q 3 y = qiK 1A - 5293^2,3 

(4) Let (a, (3) be a solution to the linear system. The diagonal matrix e = 
diag(ifi,4, Va*, /3 1- */ 2 , 1) now satisfies that G e — Sz(q). 

By Lemma l7~2l and [T3*j . this is a Las Vegas algorithm that uses 0(|X| +logg) field 
operations. □ 

Lemma 7.4. There exists a Las Vegas algorithm that, given subsets X, Yp and 
Y Q 0/ GL(4,g) such that 2 (G P ) < (Y P ) < G P and 2 (G Q ) < (Y Q ) < Gq, 
respectively, where (X) = G, G h = Sz(q) for some h £ GL(4, q) and P,Q £ O h , 
finds k £ GL(4, q) such that (G k ) d — Sz(g) {or some diagonal matrix d £ GL(4,g). 
The algorithm has time complexity 0(\X\) field operations. 

Proof. Notice that the natural module V = F* of J-7i is uniserial with four non- 
zero submodules, namely Vi = { (vi, v 2 ,V3, U4) £ | Vj = 0, j > i} for i = 1, ... ,4. 
Hence the same is true for (Yp) and (Yq) (but the submodules will be different) 
since they lie in conjugates of TH. 

Now the algorithm proceeds as follows. 

(1) Let V = Fg be the natural module for (Yp) and (Yq). Find composition 

series V — V p D V 3 P D V 2 P D Vf and V — V® D V 3 Q D V 2 Q D using 
the MeatAxe. 

(2) Let Ui = Vf, U 2 = V 3 P n V 2 Q , U 3 = V 2 P n y 3 Q and P 4 = V? . For each 
i = 1, . . . , 4, choose Ui £ Ui. 

(3) Now let fc be the matrix such that has Uj as row i, for £ = 1, ... , 4. 
We now motivate the second step of the algorithm. Let (M)i denote the £-th row 

of a matrix M, and let V p and V® be as in the algorithm. 

We may assume that Yp = {x, y}, Yq — {u, v} where |x| = \u\ = 4 and both \y\ 
and \v\ divide q — 1 (and y and v are nontrivial). 

There exists g 1 £ Sz(q) such that Phg 1 = P x and Qhg 1 = Pq, since Sz(q) 
acts doubly transitively on O. If we let z = hg', then (Yp) z and (Yq) z consist 
of lower and upper triangular matrices, respectively. Hence there exist a\,b\ £ ¥ q 
such that x = S(ai,b l ) z ' 1 , and then V p = ((x)i) = ((5(oi, 6i))i2 _1 ) = V x . But 
(S(a\, 6i))iz _1 = (z _1 )i so by choosing some non-zero vector in V p we obtain a 
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scalar multiple of the first row of z . Similarly, there exist 02,62 £ F 9 such that 
u = {S{a 2 ,b 2 ) T Y~\ and V, = ((«) 4 ) = ((S(a 2 , 6 2 ) T ) 4 ^~ 1 ), where S(a 2 , b 2 ) T is the 
transpose of S(a 2 , b 2 ). But (S(a 2l b 2 ) T )4Z~ 1 — (z _1 )4 so by choosing some non-zero 
vector in we obtain a scalar multiple of the fourth row of z~ l . 

Note that dim fl = 1 and dim V 2 P n = 1 , and by choosing non-zero 
vectors from these we obtain scalar multiples of the second and third rows of z , 
respectively. 

Thus the matrix k found in the algorithm satisfies that z = kd for some diagonal 
matrix d £ GL(4, q). Since Sz(q) — G h — G z = (G k ) d , the algorithm returns a 
correct result, and it is Las Vegas because the Meat Axe is Las Vegas (see ^Hl and 
|15| l Clearly the time complexity is the same as the Meat Axe, so the algorithm 
uses 0(|X|) field operations. □ 

Theorem 7.5. Assuming Conjecture \4-.S\ and given a random element oracle for 
subgroups o/GL(4, q), there exists a Las Vegas algorithm that, given X C GL(4, q) 
such that (X) h = Sz(q) for some h £ GL(4, q), finds g £ GL(4, q) such that (X) 9 = 
Sz(q). The algorithm has time complexity 0(log(q) loglog(g) + \X\) field operations. 

Proof. Let G — (X). First note that g is determined up to multiplication by an 
element of Sz(q), so we will find g such that hg' = g where g' £ Sz(q). 

The algorithm described in Corollary 14.81 works equally well for a conjugate of 
Sz(q), so we can find generators for a stabiliser of a point in G, using the algorithm 
described in Theorem 15.21 In this case we do not need the elements as SLPs, so a 
discrete log oracle is not necessary. 

(1) Find points P,Q £ O h 1 using Lemma I7~2l Return with failure if P = Q. 

(2) Find generating sets Yp and Yq such that 2 (Gp) < (Yp) ^ Gp and 
2 (Gq) < (Yq) ^ Gq using the first three steps of the algorithm from the 
proof of Theorem 15. 21 

(3) Find k £ GL(4, q) such that (G k ) d = Sz(g) for some diagonal matrix d £ 
GL(4, q), using Lemma ITU 

(4) Find a diagonal matrix e using Lemma 17.31 

(5) Now g = ke satisfies that G 9 = Sz(q). 

Be Lemma 17.21 17.41 and 17.31 and the proof of Theorem 15.21 this is a Las Vegas 
algorithm with time complexity as stated. □ 

8. Implementation and performance 

An implementation of the algorithms described here is available in Magma. 
The implementation uses the existing Magma implementations of the algorithms 
described in 0, 0, [TTJ, [E] and [2H Corollary 14.16]. 

A benchmark of the recognition algorithm described in Section 17.11 for vari- 
ous field sizes q = 2 2m+1 , is given in Figure f5~TI For each field size, 200 random 
conjugates of Sz(q) were recognised and the average running time for each call is 
displayed. 

A benchmark of the conjugation algorithm described in Section 17.21 for vari- 
ous field sizes q = 2 2m+1 , is given in Figure IHT21 For each field size, 100 random 
conjugates of Sz(q) were considered and a conjugating element found. The average 
running time for each call is displayed. 

The constructive membership and conjugation algorithms both need to compute 
generating sets of stabilisers, so they depend on Algorithm ^ Therefore our im- 
plementation depends on the Magma implementation of discrete log. Since we are 
in characteristic 2, there is a specialised algorithm for discrete log, Coppersmith's 
algorithm (see ||]), which is implemented in Magma. 
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Figure 8.1. Benchmark of recognition 



We have benchmarked the computation of generating sets for stabilisers, for 
various field sizes, as shown in Figure For each field size, q = 2 2m+1 , generating 
sets for the stabilisers of 100 random points were computed, and the average running 
time for each call is listed. The amount of this time that was spent in discrete 
logarithm computations is also indicated. 

We used the software package R (see US]), to produce Figures HTT1 18.21 and 18.31 

All benchmarks were carried out using Magma V2.12-9, on a PC with an In- 
tel Xeon CPU running at 2.8 GHz and with 1 GB of RAM. For the conjugation 
problem, the highest value of m was 55, since higher field sizes required too much 
memory. For the recognition and stabiliser computation, there was never any short- 
age of memory, and the benchmark indicated that much larger fields should also 
be feasible. The expectation was that the conjugation problem and the stabiliser 
computation would be much more time consuming than the recognition, and in 
order to shorten the total time, 100 rather than 200 computations were performed 
for each field size. The benchmark confirmed this expectation. 

Moreover, the benchmark was also used as a way to check Conjecture 14.21 Each 
stabiliser computation involves at least 2 calls to Algorithm 2] so at least 14000 
checks of the conjecture was made during the benchmark. The fact that it never 
failed provides strong evidence to support the conjecture. 
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Figure 8.2. Benchmark of conjugation 
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